Hydra - make builder use ssh private key

fghibellini · April 15, 2019, 3:51pm

I started a Hydra service on NixOS. I succesfully added a project that checks out a private git repository by adding the ssh key to the hydra user’s .ssh folder, but when that actual jobs run they fail with:

<3>exporting <GIT_URL> (rev <COMMIT>) into <STORE_PKG_PATH>
<3>Initialized empty Git repository in <STORE_PKG_PATH>/.git/
<3>No user exists for uid 1000
<3>fatal: Could not read from remote repository.
<3>
<3>Please make sure you have the correct access rights
<3>and the repository exists.
<3>No user exists for uid 1000
<3>fatal: Could not read from remote repository.
<3>
<3>Please make sure you have the correct access rights
<3>and the repository exists.
<3>Unable to checkout <COMMIT> from <GIT_URL>
<3>builder for <NIX_STORE_PATH> failed with exit code 1

even though I added the key to all 3 users hydra, hydra-queue-runner and root and tested with all 3 of them that they are indeed able to clone the repo.

The job expressions reference the git repository by calling fetchgit.

fghibellini · April 16, 2019, 8:41am

I now came across this thread from 2017.
Even though in it they’re using fetchgitPrivate, it points out possible causes for my issue.

Most likely the builds being run by nixbldX users or one of the restrictions of sandboxed mode.

The resolution of the thread was that you basically want to pass the private repo sources as inputs to your build and let hydra fetch them for you.

This doesn’t feel too nice as I don’t see the reason why private repos should be handled differently from publicly accessible ones so if anyone has a more up to date solution feel free to share any ideas.

fghibellini · April 16, 2019, 9:14am

Related github issue 43583 - Add private option to fetchFromGitLab

FRidh · April 16, 2019, 12:19pm

I recommend using builtins.fetchGit. It will use the SSH configuration of the user invoking the build. In a project of mine I am now converting all uses of nixpkgs.fetchgitPrivate to builtins.fetchGit.

fghibellini · April 16, 2019, 1:02pm

That’s exactly what I was trying to use today.
But then the evaluation phase fails with

hydra-eval-jobs returned exit code 1:
error: access to URI '<URL>' is forbidden in restricted mode

fghibellini · April 16, 2019, 2:00pm

Update:
in your nixos config you can specify:

nix.extraOptions = ''
  allowed-uris = <space separated list of uris>
'';

after which nixos-rebuild switch will complain with:

warning: unknown setting 'allowed-uris'

which is confusing cause after restarting:

systemctl restart hydra-evaluator.service
systemctl restart hydra-queue-runner.service

the evaluation succeeds.

It is not clear to me though why builtins.fetchGit is restricted while all other methods get to access repos without any restrictions (just immagine listing the urls used by nixpkgs).

FRidh · April 16, 2019, 2:26pm

The difference is between whether the fetching is done by the evaluator or as a build step. builtins.fetchGit and builtins.fetchTarball are typically executed during evaluation because their purpose is to fetch Nix expressions. On the other hand, nixpkgs.fetchurl and nixpkgs.fetchgit are typically executed as a build.